Re: New Progress Events draft

Charles McCathieNevile wrote:
> 
> Hi folks,
> 
> at 
> http://dev.w3.org/cvsweb/~checkout~/2006/webapi/progress/Progress.html?rev=1.24 
> you will find a new draft of the progress events spec, for your 
> delectation...

So the spec says that for HEAD requests the size should include the size 
of headers. I just realized that this might be a security issue.

The headers can include the users password, many times in clear text. If 
a site knows the size of the default headers for a given implementation, 
it can figure out the size of the users password by subtracting the 
default size from the size reported from the 'load' event from a HEAD 
request.

/ Jonas

Received on Monday, 20 October 2008 15:50:07 UTC